An armed cybercriminal group working out of Morocco has been targeting major retailers for creating fake gift cards, infiltrating their systems to steal millions of dollars by using them as a source of revenue, according to a new report by Microsoft. It's not just any old gift card scam that's trying to get shoppers to buy fake gift cards. Its goal is to compromise the internal systems of large retailers, luxury brands, and fast-food chains to steal money. This group is dubbed "Atlas Lion" or "Storm-0539."
Researchers at Microsoft have tracked the Moroccan group Storm-0539 since 2021, known as Atlas Lion, which specializes in the theft of gift cards. It has been estimated that this cybercriminal group has been active for more than a decade. They create fake charity websites to fool cloud companies into giving them access to their online computers free of charge. To avoid detection, they then trick employees at big US stores into giving them access to their gift card systems to steal gift cards without exceeding the limit.
Once inside, they use their techniques to steal gift cards. Unlike most cybercriminals who launch a single attack and move on, Storm-0539 establishes a persistent presence within a compromised system, allowing them to repeatedly generate and cash out fraudulent gift cards. This tactic makes them especially dangerous, with Microsoft reporting a troubling 30% increase in their activity leading up to the Memorial Day holiday compared to the previous two months.
It has always been a common practice for cybercriminals to target gift cards since they are typically unlinked to a specific account, making it difficult for them to be traced. Storm-0539 has taken it to the next level. Cybercriminals have long been drawn to gift cards because they usually are not linked to specific accounts or customers, which makes their use more difficult to scrutinize. It is common for gift card scams to increase during holiday periods such as Christmas and Labor Day because they are usually associated with different companies or customers.
In the days leading up to Memorial Day, Microsoft revealed that Storm-0539 had conducted a 30% increase in activity compared to the last two months when compared to the previous two months. During this period, Microsoft has been tracking Storm-0539 since late 2021. The group has developed from using malware on retail cash registers and kiosks for stealing payment card information to using malware for stealing payment information from the cards.
Their strategy changed as technology advanced, and they began targeting cloud services and card systems for large retailers, luxury brands, and fast-food chains. Indeed, fraudsters sometimes ask victims to use gift card codes as payment to avoid tracing them. In this case, however, the hackers have gone to the source and printed gift card codes worth thousands of dollars. When that is done, the hackers will then redeem the gift cards for their value, sell them to others, or cash them out using money mules.
Storm-0539, also known as Atlas Lion, has been active since at least late 2021 and focuses its activities on cybercrime, such as breaking into payment card accounts. But in recent months, Microsoft has also observed the group compromising gift card code systems, particularly before major holiday seasons.
It is reported that Microsoft observed a 30% increase in intrusion activity from Storm-0539 between March and May 2024, before the summer vacation season. It has been observed that an increase of 60% in attack activity between the fall and winter holidays in 2023, coincided with an increase in attack activity between September and December.
As part of the attack, the hackers often infiltrate corporations by sending phishing emails to employees' inboxes and phones to trick them into providing the hijackers with access to their accounts when they are not supposed to. A hacker attempts to identify a specific gift card business process that is associated with compromised employee accounts within a targeted organization by moving sideways through the network until they find compromised accounts that are linked to that specific portfolio," Microsoft explains. In his research, Jakkal observed that Storm-0539 has evolved to be adept at resetting the process of issuing gift cards to organizations and granting access to employees before compromising their account accesses.
Taking the form of legitimate organizations, Storm-0539 adopts the guise of non-profit organizations as part of its ongoing effort to remain undetected by cloud providers.
According to Jakkal, "They often exploit unsuspecting victims by creating convincing websites using misleading "typosquatting" domain names that are only a few characters different from legitimate websites to lure them into paying for them, showing their cunning and resourcefulness," he explained.
According to Microsoft, the hackers have recovered legitimate copies of 501(c)(3) letters from nonprofit organizations' public websites, and they are using these to gain access to discounted cloud services from cloud service providers by downloading them.
After they have gained access to login information by phishing and smishing emails, they register their devices into a victim's network and proceed to bypass the two-factor authentication by registering them into the victim's network, allowing them to continue to access the environment despite the MFA. They create new gift cards to resell them to other cybercriminals on the dark web at a discount or cash them out through money mules to cash out. According to Microsoft researchers, there have been instances where threat actors have stolen up to $100,000 from certain companies each day using ordinary gift cards that have been purchased by employees.
There is a warning from Microsoft that it wants to remind organizations that issue gift cards to treat the portals used to process the cards as high-value targets that need to be extensively checked and balanced before issuing the cards.
In a recent report, Microsoft issued a warning about the rise of cybercriminal activities involving gift card scams, specifically highlighting the actions of a group known as Storm-0539. This warning follows a similar alert from December, where Microsoft reported an increase in attacks by Storm-0539 during the holiday season.
According to Emiel Haeghebaert, a senior hunt analyst at the Microsoft Threat Intelligence Center, this group is comprised of no more than a dozen individuals based in Morocco.
Storm-0539 employs phishing campaigns to target employees and gain unauthorized access to both personal and corporate systems. The FBI has elaborated on their tactics, explaining that once initial access is obtained, the group uses further phishing campaigns to escalate their network privileges.
Their strategy involves targeting the mobile phones of employees in retail departments, exploiting both personal and work devices through sophisticated phishing kits capable of bypassing multi-factor authentication.
Upon compromising an employee's account, Storm-0539 conducts detailed reconnaissance within the business network to identify processes related to gift card management. They then pivot to infiltrate the accounts of employees handling the specific gift card portfolio.
Within these networks, the attackers seek to obtain secure shell (SSH) passwords and keys, along with the credentials of employees in the gift card department. After securing the necessary access, the group creates fraudulent gift cards using compromised employee accounts.
The recent report from Microsoft underscores the severity of this threat, echoing an earlier alert issued by the FBI concerning Storm-0539.
To mitigate such risks, Microsoft advises that merchants issuing gift cards should regard their gift card portals as high-value targets, necessitating constant monitoring and auditing for any suspicious activity.
Microsoft further recommends that organizations establish stringent controls over user access privileges. According to Microsoft, attackers like Storm-0539 typically assume they will encounter users with excessive access privileges, which can be exploited for significant impact. Regular reviews of privileges, distribution list memberships, and other user attributes are essential to limit the fallout from initial intrusions and to complicate the efforts of potential intruders.
In conclusion, both Microsoft and the FBI emphasize the importance of vigilance and proactive security measures in combating the sophisticated tactics employed by groups like Storm-0539. By treating gift card systems as critical assets and implementing rigorous access controls, organizations can better defend themselves against these evolving cyber threats.